GHSA-C3WQ-J5VH-68RC: Hugo Symlink Confinement Bypass in os.ReadFile
Vulnerability ID: GHSA-C3WQ-J5VH-68RC
CVSS Score: 6.0
Published: 2026-06-19
Hugo versions v0.123.0 through v0.163.0 are vulnerable to a directory confinement bypass. A regression in the virtual filesystem layer causes symbolic links to be followed during template execution, allowing templates to read arbitrary host files.
TL;DR
A directory confinement regression in Hugo's virtual filesystem allows unauthenticated arbitrary file read during build execution via malicious symbolic links placed in templates or themes.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-59
- Attack Vector: Local
- CVSS v4 Score: 6.0
- Exploit Status: PoC
- Impact: Arbitrary File Read
- CISA KEV Status: Not Listed
Affected Systems
- Hugo Static Site Generator
-
Hugo: >= v0.123.0, < v0.163.1 (Fixed in:
v0.163.1)
Mitigation Strategies
- Upgrade to Hugo v0.163.1 or later
- Scan repositories for absolute or traversing symbolic links prior to building
- Deploy Hugo compilation jobs in unprivileged, network-isolated container sandboxes
Remediation Steps:
- Check the installed Hugo version by executing 'hugo version'.
- If the version is between v0.123.0 and v0.163.0, upgrade to v0.163.1 or higher using your package manager or directly from the official releases.
- Run 'find . -type l -ls' within the project root to check for symbolic links.
- Enforce static-analysis filters in continuous integration workflows to drop commits containing files with symlink mode bits.
References
Read the full report for GHSA-C3WQ-J5VH-68RC on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)